UNPKG

@soos-io/soos-sast

Version:

SOOS Static Application Security Testing (SAST) scanning support. Register for a free SOOS trial at https://app.soos.io/register

github.com/soos-io/soos-sast

soos-io/soos-sast

167 lines (166 loc) 8.74 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
#!/usr/bin/env node "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); const tslib_1 = require("tslib"); const api_client_1 = require("@soos-io/api-client"); const utilities_1 = require("@soos-io/api-client/dist/utilities"); const process_1 = require("process"); const package_json_1 = require("../package.json"); const AnalysisService_1 = tslib_1.__importDefault(require("@soos-io/api-client/dist/services/AnalysisService")); const AnalysisArgumentParser_1 = tslib_1.__importDefault(require("@soos-io/api-client/dist/services/AnalysisArgumentParser")); const constants_1 = require("./constants"); class SOOSSASTAnalysis { args; constructor(args) { this.args = args; } static parseArgs() { const analysisArgumentParser = AnalysisArgumentParser_1.default.create(api_client_1.IntegrationName.SoosSast, api_client_1.IntegrationType.Script, api_client_1.ScanType.SAST, package_json_1.version); analysisArgumentParser.addArgument("directoriesToExclude", "Listing of directories or patterns to exclude from the search for manifest files. eg: **bin/start/**, **/start/**", { argParser: (value) => { return value.split(",").map((pattern) => pattern.trim()); }, }); analysisArgumentParser.addArgument("filesToExclude", "Listing of files or patterns patterns to exclude from the search for manifest files. eg: **/sa**.sarif.json/, **/sast.sarif.json", { argParser: (value) => { return value.split(",").map((pattern) => pattern.trim()); }, }); analysisArgumentParser.addArgument("sourceCodePath", "The path to start searching for SAST files.", { defaultValue: process.cwd(), }); analysisArgumentParser.addArgument("outputDirectory", "Absolute path where SOOS will write exported reports and SBOMs. eg Correct: /out/sbom/ | Incorrect: ./out/sbom/", { defaultValue: process.cwd(), }); return analysisArgumentParser.parseArguments(); } async runAnalysis() { const scanType = api_client_1.ScanType.SAST; const soosAnalysisService = AnalysisService_1.default.create(this.args.apiKey, this.args.apiURL); let projectHash; let branchHash; let analysisId; let scanStatusUrl; let scanStatus; try { const result = await soosAnalysisService.setupScan({ clientId: this.args.clientId, projectName: this.args.projectName, commitHash: this.args.commitHash, contributingDeveloperAudit: !this.args.contributingDeveloperId || !this.args.contributingDeveloperSource || !this.args.contributingDeveloperSourceName ? [] : [ { contributingDeveloperId: this.args.contributingDeveloperId, source: this.args.contributingDeveloperSource, sourceName: this.args.contributingDeveloperSourceName, }, ], branchName: this.args.branchName, buildVersion: this.args.buildVersion, buildUri: this.args.buildURI, branchUri: this.args.branchURI, integrationType: this.args.integrationType, operatingEnvironment: this.args.operatingEnvironment, integrationName: this.args.integrationName, appVersion: this.args.appVersion, scanType, scriptVersion: this.args.scriptVersion, toolName: undefined, toolVersion: undefined, }); projectHash = result.projectHash; branchHash = result.branchHash; analysisId = result.analysisId; scanStatusUrl = result.scanStatusUrl; const { filePaths, hasMoreThanMaximumFiles } = await soosAnalysisService.findAnalysisFiles(scanType, this.args.sourceCodePath, constants_1.SOOS_SAST_CONSTANTS.FilePattern, this.args.filesToExclude, this.args.directoriesToExclude, constants_1.SOOS_SAST_CONSTANTS.MaxFiles); if (filePaths.length === 0) { const noFilesMessage = `No SAST input files found. Please ensure you have generated Sarif JSON files before running soos-sast. They need to match the pattern ${constants_1.SOOS_SAST_CONSTANTS.FilePattern}. See https://kb.soos.io/getting-started-with-sast-secrets for more information.`; await soosAnalysisService.updateScanStatus({ analysisId, clientId: this.args.clientId, projectHash, branchHash, scanType, status: api_client_1.ScanStatus.NoFiles, message: noFilesMessage, scanStatusUrl, }); api_client_1.soosLogger.error(noFilesMessage); api_client_1.soosLogger.always(`${noFilesMessage} - exit 1`); (0, process_1.exit)(1); } api_client_1.soosLogger.info("Uploading SAST File(s)..."); const formData = await soosAnalysisService.getAnalysisFilesAsFormData(filePaths, this.args.sourceCodePath); await soosAnalysisService.analysisApiClient.uploadScanToolResult({ clientId: this.args.clientId, projectHash, branchHash, scanType, scanId: analysisId, resultFile: formData, hasMoreThanMaximumFiles, }); api_client_1.soosLogger.info("Scan results uploaded successfully."); scanStatus = await soosAnalysisService.waitForScanToFinish({ scanStatusUrl, scanUrl: result.scanUrl, scanType, }); if ((0, utilities_1.isScanDone)(scanStatus) && this.args.exportFormat !== api_client_1.AttributionFormatEnum.Unknown && this.args.exportFileType !== api_client_1.AttributionFileTypeEnum.Unknown) { await soosAnalysisService.generateFormattedOutput({ clientId: this.args.clientId, projectHash: result.projectHash, projectName: this.args.projectName, branchHash: result.branchHash, analysisId: result.analysisId, format: this.args.exportFormat, fileType: this.args.exportFileType, includeDependentProjects: false, includeOriginalSbom: false, includeVulnerabilities: false, workingDirectory: this.args.outputDirectory, }); } const exitCodeWithMessage = (0, utilities_1.getAnalysisExitCodeWithMessage)(scanStatus, this.args.integrationName, this.args.onFailure); api_client_1.soosLogger.always(`${exitCodeWithMessage.message} - exit ${exitCodeWithMessage.exitCode}`); (0, process_1.exit)(exitCodeWithMessage.exitCode); } catch (error) { if (projectHash && branchHash && analysisId && (!scanStatus || !(0, utilities_1.isScanDone)(scanStatus))) await soosAnalysisService.updateScanStatus({ analysisId, clientId: this.args.clientId, projectHash, branchHash, scanType, status: api_client_1.ScanStatus.Error, message: `Error while performing scan.`, scanStatusUrl, }); api_client_1.soosLogger.error(error); api_client_1.soosLogger.always(`${error} - exit 1`); (0, process_1.exit)(1); } } static async createAndRun() { try { const args = this.parseArgs(); api_client_1.soosLogger.setMinLogLevel(args.logLevel); api_client_1.soosLogger.always("Starting SOOS SAST Analysis"); api_client_1.soosLogger.debug(JSON.stringify((0, utilities_1.obfuscateProperties)(args, ["apiKey"]), null, 2)); const soosSASTAnalysis = new SOOSSASTAnalysis(args); await soosSASTAnalysis.runAnalysis(); } catch (error) { api_client_1.soosLogger.error(`Error on createAndRun: ${error}`); api_client_1.soosLogger.always(`Error on createAndRun: ${error} - exit 1`); (0, process_1.exit)(1); } } } SOOSSASTAnalysis.createAndRun();